Hello,
I am trying to configure ADFS 3.0 on Windows Server 2012 R2 for Single Sign on with Exchange 2013. There seems to be very little information regarding configuring ADFS in an Exchange resources forest deployment, so I am hoping someone has come across this and has a solution :)
The environment:
There are four forests in the environment, consisting of:
- User forest 1 - user1.local
- User forest 2 - user2.local
- User forest 3 - user3.local
- Resource forest 1 - resource.local
The resource forest contains all of the Exchange infrastructure.
The user forests contain all the corporate users who have have linked mailboxes in the resource forest.
Each user only has one account, which will exist in one of the 3 users forest, and use their employee ID numbers (e.g. ID12345) to sign in
There is a one-way outgoing trust between the resource.local forest and each of the user forests. There are no trust between the user forests.
The problem:
I would like to configure ADFS for OWA to allow the corporate users in the users domain to access their mailbox . Please keep in mind that these users only have accounts the their respective users domain, and their account\"place-holder"AD object in the resource forest is disabled.
The ADFS farm will be deployed in the resource forest
Environmental Restrictions:
- A two-way trust between the user forests and resource forest cannot be created
- We cannot migrate to Office365
- We cannot use Azure AD
- A new forest containing all users cannot be created
My research on this suggests that I will need to:
- Deploy ADFS servers in each of the user forests
- Add the user forest's ADFS farm as Claims Provider Trusts in the resources ADFS environment
- Add the resource forest's ADFS farm as a Relying Party Trust in each of the user forest's ADFS farms
- Configure OWA (and ECP) as a Relying Part Trusts in the resource forest.
I have done the above, but this does not appear to be working. When I browse the OWA URL, I get the ADFS log on page listing each of the user forest (I believe these are integrated Identity Providers (IDPs) for each of the Claims Provider Trusts I created with the user forests). Selecting one of these and trying to signing in with a user's UPN returns the "Something went wrong" OWA message with the "UpnClaimMissing" ADFS error in the URL. All Claim Provider Trusts (in the resource ADFS) and the Relying Party Trusts (in the user forest all have teh
Is this the correct approach? Should I be adding the user domains as attribute stores in the ADFS server in the resource forest instead (not sure about this one, but though I'd throw it out there anyway)?
Thank you